Category Archives: Whistleblower

Why Did Trump Hire McMaster in the First Place?

Posted on by

Much has been written about Trump’s now former National Security Counsel advisor H.R. McMaster who at one time was General Petraeus’ ‘go-to’ tank operations expert in Iraq. The 3-star general from the outset never really gelled in a cohesive policy relationship with President Trump and the chatter for months in DC was that his time at the White House was going to be short.

McMaster Worked at Think Tank Backed by Soros-Funded Group ...

Question is who recommended McMaster to Trump in the first place and who did the background investigation such that Trump accepted and confirmed him to lead the National Security Council?

“After 34 years of service to our nation,” the lieutenant general said, “I am requesting retirement from the U.S. Army effective this summer, after which I will leave public service.” A White House official told VOA that the president and McMaster had mutually agreed upon McMaster’s resignation, after discussing it for some time. The official said the president asked McMaster to stay on until mid-April to ensure a smooth transition, and McMaster agreed. A graduate of the U.S. Military Academy, known as West Point, McMaster earned a Silver Star for leadership during the Persian Gulf War when, as a cavalry commander, he led a small contingent of U.S. tanks to destroy 80 Iraqi tanks and other vehicles. More here.

Well, the Daily Caller did some remarkable deeper work on McMaster spelling out how Trump never should have brought him on board in the first place. The other question remains on why the Pentagon did not advise McMaster on terminating his outside relationship especially with some rogue nations.

  • Outgoing National Security Advisor H.R. McMaster worked for a foreign-based think tank for 11 years before assuming his post
  • The think tank has ties to Russia, China, the Uranium One deal and Bahrain
  • Career armed forces officers spoke out against the arrangement

Outgoing National Security Advisor Lt. Gen. H.R. McMaster served for more than a decade as a consultant to the London-based International Institute for Strategic Studies, a foreign-based think-tank that has received funding from hostile foreign governments to include Russia and China, according to a Daily Caller News Foundation investigation.

The career soldier ended his employment at the International Institute for Strategic Studies (IISS) in February 2017 after President Donald Trump tapped him to serve as his national security adviser following the resignation of former National Security Adviser Michael Flynn.

McMaster is planning to leave the NSC in April, to be replaced by former U.N. Ambassador John Bolton, according to The Wall Street Journal.

The outgoing NSC official said in a statement, he was “requesting retirement from the U.S. Army effective this summer after which I will leave public service.”

The general, who did not leave the Army to assume his NSC post, was one of only two White House national security chiefs who retained active duty status while working at the White House. The other general was Gen. Colin Powell.

McMaster never publicized his decade-long outside consultant work with the foreign-based think tank that often supported a globalist agenda opposed by Trump. IISS often espoused foreign and military policies that served as the centerpiece of the Obama presidency, including support for the former president’s Iran nuclear deal.

While his 11 years at the institute were never part of his official military biography, former military officers who learned of it were harshly critical of his unusual moonlighting.

Veteran military officers expressed disbelief at McMaster’s consulting work at a foreign-based think tank that receives funding from hostile governments. They called the arrangement “unethical” and “unprecedented.”

IISS operates offices in the Bahrain, Singapore and Washington, D.C. It generally reflects a globalist “realist” Eurocentric view of foreign and military postures that’s at odds with Trump’s foreign policy. The think-tank was a major advocate of former President Barack Obama’s nuclear deal with Iran.

IISS receives funding from friendly Western sources such as aerospace firms and even the British army, but is also has received funding from the Russian Federation, China’s Ministry of Foreign Affairs, as well as the governments of Azerbaijan, Turkey, Qatar, Pakistan, Saudi Arabia and Bahrain, according to the IISS website.

During McMaster’s time at IISS, the think tank also received $700,000 from George Soros’s Open Society and $140,000 from Ploughshares, the pacifist organization that aggressively pushed for Obama’s Iran nuclear deal.

The organization’s council — its board of directors — also is filled with people who have ties to the Kremlin, to the Qatari emir who has been accused of supporting terrorists, to people associated with the Uranium One scandal, and with a Russian investment bank that paid former President Bill Clinton $500,000 for a single speech.

“This is bizarre,” retired Army Lt. Gen. William “Jerry” Boykin said in an interview with TheDCNF. “If that kind of information was available to The Trump administration before they selected him, the question is: Would they have selected him for this very job?”

The Army told TheDCNF that from 2006 when he first joined IISS as a “senior research associate” until he left in 2017, he did file annual financial disclosure forms notifying the Army of payments he received from the institute.

McMaster’s office did not respond to a DCNF request for his current financial disclosure form, which he was required to submit in 2017 as a White House employee.

Retired Rear Adm. James “Ace” Lyons, who served 35 years in the Navy, including a stint as commander of the Pacific Fleet, told TheDCNF McMaster’s consulting role at the think tank was “absurd.”

“It is really absurd that an active duty military officer, particularly one of flag rank, is a consultant to a foreign organization that is taking money and contributions from questionable countries that are known enemies of the United States,” Lyons told TheDCNF in an interview. “This to me seems to be outside the bounds of what we’re committed to. This is atrocious.”

“I’ve never seen this kind of thing before,” said Boykin, a 36-year veteran who served as under secretary for defense intelligence for President George W. Bush.

Boykin said he was convinced any commanding officer would have rejected McMaster’s proposed consulting work at IISS. “I cannot believe that the ethics people of the U.S. Army would approve of him doing that, and I can’t believe that any responsible person he worked for in the Army would have agreed to that.”

William J. Sharp, a public affairs civilian attached to U.S. Army Headquarters, told TheDCNF the Army accepted McMaster’s proposed consulting work at IISS without any prior approval because they regarded the think tank as not falling under the category of a “prohibited source.”

The term “prohibited source” relates to a company that seeks a business or other formal contractual relationship from the Department of Defense. Using that limited standard, the Army concluded IISS was not a prohibited source and McMaster did not need to obtain prior approval from military superiors.

“IISS is not a prohibited source for Army personnel,” Sharp told TheDCNF in an email. “Therefore, LTG McMaster was not required to obtain approval prior to consulting for IISS.”

“I’m surprised at this,” Boykin said. “I find this in my view and in my experience of 36 years to be unprecedented, and I would love to see an authorization. And if it’s an open-ended authorization — if there’s one at all — then I would be willing to bet you it was an error on the part of whoever provided that authorization. You just can’t do this on your own,” he told TheDCNF.

Retired Special Forces Col. James Williamson told TheDCNF he considered it “very unusual” for an active duty officer to serve for a decade at any educational institution. “It’s very unusual for a general officer on active duty to have that type of affiliation over that timespan,” he said. “I’ve had friends that have gone to Harvard or the Fletcher School at Tufts, but they’re U.S.-based.” He said most terms were for a short duration — usually six months to a year.

In fact, the military approves and even encourages active duty officers to seek temporary assignments with American educational institutions and think tanks. But those assignments are very short and rarely extend for more than a year.

Williamson said active duty military officers have plenty of private sector and think tank opportunities after they leave military service. “We have other people who served in London, but they’re not on active duty. They’re retired officers and there’s no problem with that,” he said.

Williamson, a counter terrorism specialist who served with NATO and U.S. Southern Command, said he regarded McMaster’s work as posing a basic “conflict of interest” in light of funding from hostile governments. That funding “would almost make it a de facto conflict of interest in my eyes.”

Retired U.S. Air Force Col. James Waurishuk, who also worked at the NSC, agreed. “I would be concerned about the work he’s doing and how it applies in relation to a think-tank that’s taking money from perhaps adversarial foreign governments. That would be of concern to me,” he said.

Williamson also shared the same view and added that even working at a London think tank poses problems. “Even our closest allies don’t have the same agendas and priorities that we do,” he said.

During his 11 years with IISS, the group promoted McMaster’s activities. A review of previous IISS websites by TheDCNF shows he was highlighted between six and 10 times each year.

IISS praised McMaster when he joined the Trump White House. Jonathan Stevenson, an Obama NSC official who also is a senior fellow at IISS, wrote a fawning opinion piece about McMaster in The New York Times. He called him a “compelling choice: a scholar-warrior” and “both a proven cavalry officer and a formidable defense intellectual.” Stevenson wrote McMaster could save Trump, and the general’s appointment, “should augur at least a fleeting period of stability at the dysfunctional National Security Council.”

Igor Yurgen has been on the IISS Council since 2010. He is chairman of Rennaissance Capital Group, which awarded Bill Clinton $500,00 in speaking fees.

Russia Today, a pro-Kremlin news organization, once described Yurgen as “one of Russia’s most influential experts close to [former] President Dmitry Medvedev.”

“He is remarkably skilled at combining public, business and political careers,” according to RT.

Another council member is Michael Rich, an executive vice president of the RAND Corp. But significantly, he is co-chair of the board of overseers of a project called the RAND Qatar Policy Institute.

The Qatar Policy Institute is also part of the Qatar Foundation, started by Qatar’s former emir, Sheikh Hamad Bin Khalifa Al Thani, and his wife, Sheikha Moza bint Nasser.

Saudi Arabia and the Persian Gulf states accuse Qatar of supporting Islamic terrorism. Al Thani has supported the Taliban in Afghanistan, Hamas in the Gaza Strip, militias in Libya, and the Muslim Brotherhood, The New York Times reported in 2014. The Emir personally traveled in 2012 to the Gaza Strip, where he received a hero’s welcome as he pledged to work with the terrorist group Hamas. Al Thani also founded Al Jazeera, the pro-Muslim Brotherhood television news channel.

Badr Jafar, another current council member, is the son of Hamid Jafar, who founded the biggest private equity firm in the Middle East, North Africa and South Asia. Badr is the CEO of Crescent Enterprises who, with his father Hamid Jafar, engineered an oil exploration partnership between their Emirates-based company, Crescent Petroleum with the Boris Kovalchuk, CEO of the Russian company of Inter Rao UES.

News agencies in the United Arab Emirates hailed the 2010 financial deal between Crescent and Moscow. “Russian state news agencies began their coverage of the recent high-level meeting in Moscow between Crescent officials, the Russian prime minister, Vladimir Putin, and the Iraqi former prime minister Dr Ayad Allawi by linking the names of Hamid Jafar and Mr Putin,” according to the National Business report.

Russian President Vladimir Putin decreed that all shares of Inter Rao UES be transferred to the Russian state-owned atomic energy agency called Rosatom. Kovalchuk is a Kremlin confidant who served as a vice president of Rosatom. Americans know about Rosatom because of its purchase of Uranium One, which was made possible by then Secretary of State Hillary Clinton’s support for the Russian acquisition.

While McMaster was a consultant at IISS the organization was a strong, unwavering supporter of President Obama’s nuclear deal with Iran.

Mark Fitzpatrick, its director for non-proliferation and disarmament was the most outspoken IISS director for the nuclear deal calling it in 2015 a “a potential game changer in many ways, opening a path to better relations with Iran that has been closed for more than 35 years.” Fitzpatrick said the deal “makes it demonstrably less likely Iran will become nuclear-armed now and in the future.”

IISS also entered domestic American politics by defending the Democratic Party during the 2016 presidential campaign. It flatly stated following the release of emails from the Democratic National Committee it “revealed no evidence of significant wrongdoing within the Democratic Party.”

IISS also has been criticized for the secrecy of its activities and its routine denial of visas for reporters seeking to attend its overseas events, particularly its annual event in Bahrain where human right groups accuse the government of silencing critics and keeping journalists away.

BahrainWatch, a human rights group published an investigation in December 2016 claiming that even well known American journalists have been barred from its Bahrain conferences called the “Manama Dialogue.”

“New York Times journalist Nicholas Kristof has openly called for an invitation since 2011, though his media visa was once again rejected last year. Wall Street Journal journalist Yaroslav Trofimov was also denied a visa.

Waurishuk concluded that McMaster’s relationship with IISS raises too many alarms.

“There’s too many red flags that kind of go up,” he said.

Neither IISS Washington nor IISS London returned repeated queries about McMaster.

POTUS and Omnibus, No Line Item Veto?

Posted on by

2232 pages of stupid and everyone should take the time to just scan the $1.3 trillion spending bill. I got to page 184 last night and went to bed mad. There is no line item veto but there should be. President Trump can veto the whole truck load of crap and should. In place of the line item veto, he can wield his pen and sign an Executive Order eliminating countless crazy spending things or suspend some of the acts for the rest of his term. Something like the Food for Progress Act. And we are still bailing out the healthcare insurance companies…. anyway…there is also $687 million to address Russian interference. Just what is that plan?

  1. How about the Cloud Act? Foreign governments get access to our data? WHAT?   2. Okay how about Trump’s “wall funding.” It’s not a wall. It’s repairs, drones and pedestrian fencing – no construction. 3. Then we have the House Freedom Caucus with their letter to President Trump:   So…need more?  Conservative Review has these 10 items for your consideration.Here are the top 10 problems with the bill:

    1) Eye-popping debt: This bill codifies the $143 billion busting of the budget caps, which Congress adopted in February, for the remainder of this fiscal year. This is on top of the fact that government spending already increased $130 billion last year over the final year of Obama’s tenure. Although the Trump administration already agreed to this deal in February, the OMB put out a memo suggesting that Congress appropriate only $10 billion of the extra $63 billion in non-defense discretionary spending. Now it’s up to Trump to follow through with a veto threat. It’s not just about 2018. This bill paves the road to permanently bust the budget caps forever, which will lead to trillions more in spending and cause interest payments on the debt to surge past the cost of the military or even Medicaid in just eight years.

    Keep in mind that all the additional spending will be stuffed into just six months remaining to the fiscal year, not a 12-month period. A number of onerous bureaucracies will get cash booster shots instead of the cuts President Trump wanted.

    Remember when Mick Mulvaney said the fiscal year 2017 budget betrayal was needed so that he could do great things with the fiscal year 2018 budget? Good times.

    2) Bait and switch on the wall: Since this bill increases spending for everything, one would think that at least the president would get the $15 billion or so needed for the wall. No. The bill includes only $641 million for 33 miles of new border fencing but prohibits that funding for being used for concrete barriers. My understanding is that President Trump already has enough money to begin construction for roughly that much of the fence, and pursuant to the Secure Fence Act, he can construct any barrier made from any This actually weakens current law.

    3) Funds sanctuary cities: When cities and states downright violate federal law and harbor illegal aliens, Congress’ silence in responding to it is deafening. Cutting off block grants to states as leverage against this dangerous crisis wasn’t even under discussion, even as many other extraneous and random liberal priorities were seriously considered.

    4) Doesn’t fund interior enforcement: Along with clamping down on sanctuary cities, interior enforcement at this point is likely more important than a border wall. After Obama’s tenure left us with a criminal alien and drug crisis, there is an emergency to ramp up interior enforcement. Trump requested more ICE agents and detention facilities, but that call was ignored in this bill. Trump said that the midterms must focus on Democrats’ dangerous immigration policies. Well, this bill he is supporting ensures that they will get off scot-free.

    5) Doesn’t defund court decisions: Some might suggest that this bill was a victory because at least it didn’t contain amnesty. But we have amnesty right now, declared, promulgated, and perpetuated by the lawless judiciary. For Congress to pass a budget bill and not defund DACA or defund the issuance of visas from countries on Trump’s immigration pause list in order to fight back against the courts is tantamount to Congress directly passing amnesty.

    6) Funds Planned Parenthood: We have no right to a border wall or more ICE funding, but somehow funding for a private organization harvesting baby organs was never in jeopardy or even under discussion as a problem.

    7) Gun control without due process: Some of you might think I’m being greedy, demanding that “extraneous policies” be placed in a strict appropriations bill. Well, gun control made its way in. They slipped in the “Fix NICS” bill, which pressures and incentivizes state and federal agencies to add more people to the system even though there is already bipartisan recognition that agencies are adding people who should not be on the list, including veterans, without any due process in a court of law. They are passing this bill without the House version of the due process protections and without the promised concealed carry reciprocity legislation. Republicans were too cowardly to have an open debate on such an important issue, so they opted to tack it onto a budget bill, which is simply unprecedented. The bill also throws more funding at “school violence” programs when they refuse to repeal the gun-free zone laws that lie at the root of the problem.

    8) More “opioid crisis funding” without addressing the problem: The bill increases funding for “opioid addiction prevention and treatment” by $2.8 billion relative to last year, on top of the $7 billion they already spent in February. This is the ultimate joke of the arsonist pretending to act as the firefighter, because as we’ve chronicled in detail, these funds are being used to clamp down on legitimate prescription painkillers and create a de facto national prescription registry so that government can violate privacy and practice medicine. Meanwhile, the true culprits are illicit drugs and Medicaid expansion, exacerbated by sanctuary cities, as the president observed himself. Yet those priorities are jettisoned from the bill.

    9) Student loan bailout: The bill offers $350 million in additional student loan forgiveness … but only for graduates who take “lower-paid” government jobs or work for some non-profits! This was a big priority of Sen. Elizabeth Warren.  Government created this problem of skyrocketing student debt by fueling it with subsidies and giving the higher education cartel a monopoly of accreditation, among other things. Indeed, this very same bill increases Pell grants by $2 billion. But more money is always the solution, especially when it helps future government workers.

    10) Schumer’s Gateway projects earmark: Conservatives had a wish list of dozens of items, but it’s Schumer’s local bridge and tunnel project that got included. While the bill didn’t contain as much as Schumer asked for (remember the tactic of starting off high), the program would qualify for up to $541 million in new transportation funding. Also, the bill would open up $2.9 billion in grants through the Federal Transit Administration for this parochial project that should be dealt with on a state level. New York has high taxes for a reason.

 

Assassinations of Russians, a Trend or Long Game?

Posted on by

A registry of foreign agents to Russia, compiled by the Justice Department, includes many of Washington’s most powerful legal, communications and lobbying firms, including Sidley Austin, Venable, APCO and White & Case. A review of those records, by the Center for Responsive Politics, found 279 registrations of Russian agents in the United States. More here.

***

“Putin’s inner circle is already subject to personal U.S. sanctions, imposed over Russia’s 2014 annexation of Ukraine’s’ Crimea region,” the Reuters news agency points out. … “But the so-called ‘oligarchs’ list’ that was released on Tuesday … covers many
people beyond Putin’s circle and reaches deep into Russia’s business elite.”

Prime Minister Dmitry Medvedev is among the 114 senior political figures in Russia’s government who made the list, along with 42 of Putin’s aides, Cabinet ministers such as Foreign Minister Sergey Lavrov, and top officials in Russia’s leading spy agencies, the FSB and GRU. The CEOs of major state-owned companies, including energy giant Rosneft and Sberbank, are also on the list.

So are 96 wealthy Russians deemed “oligarchs” by the Treasury Department, which said each is believed to have assets totaling $1 billion or more. Some are the most famous of wealthy Russians, among them tycoons Roman Abramovich and Mikhail Prokhorov, who challenged Putin in the 2012 election. Aluminum magnate Oleg Deripaska, a figure in the Russia investigation over his ties to former Trump campaign chairman Paul Manafort, is included.

Russian Deputy Prime Minister Arkady Dvorkovich dismissed the list as simply a “who’s who” of Russian politics. He told Russian news agencies Tuesday he wasn’t surprised to find his name on the list, too, saying that it “looks like a ‘who’s who’ book.” Dvorkovich stopped short of saying how Russia would react to it, saying the Kremlin would “monitor the situation.” More here.

*** So when there are murder cases of Russian asylees in Britain, what are the agencies in the United States thinking?

Putin foe shot dead on Moscow street | New York Post photo

photo

Litvinenko: Not first Putin critic to end up dead - CNN.com photo

Well there was Mikhail Lesin, a former friend of Putin found dead in his hotel in Dupont Circle, Washington DC. Then there was Operation Ghost Stories, the massive spy swap.

Imagine what the context and case reference is for the FBI when it comes to Russian operations in the United States and in allied countries.Or how many planes have been shot out of the sky where clues and evidence point to Russia? More explained in video below.

Beyond the attempted assassination of Skripal and his daughter in Salisbury two weeks ago, there was yet another confirmed death.

Whoever is behind the murder of a prominent Russian exile, who believed he was on a Kremlin hit list, managed to get inside his home without breaking in, police believe.

Nikolai Glushkov, 68, was found dead at home last week at his home in southwest London, and officers are now hunting for the culprits. His official cause of death is “compression to the neck.”

Before his death, Glushkov warned that a close friend of his had been murdered, and that he would be next.

In a Monday morning update on the investigation, the Metropolitan Police said they examined Glushkov’s house and found no signs of forced entry.

*** How bad is this trend?

Citigroup Pentagon Payment Portal 1.3 Million Weekend Hack Attempts

Posted on by

There are 47 pages of regulations for Department of Defense personnel using Citigroup credit cards while traveling.

Pentagon confirms hack attempt against Defense Department credit card holders

  • The Pentagon on Thursday confirmed that there was a hacking attempt against an online financial services portal that Citigroup manages for the Defense Department.
  • Citigroup had told CNBC that a “malicious actor” attempted to gain access to several Citi credit card accounts tied to the Department of Defense.
  • The attack, which included 1.3 million attempts, occurred over this past weekend.

The Pentagon on Thursday confirmed that there was a hacking attempt this past weekend against an online financial services portal that Citigroup manages for Defense Department credit card holders.

The confirmation comes a day after Citigroup told CNBC that a “malicious actor” attempted to gain access to information for Pentagon-linked credit card accounts.

The bank had responded to CNBC’s inquiry regarding an attempted hack this past weekend. The Pentagon, citing information from Citigroup, confirmed to CNBC on Thursday that there was an attack over the weekend of March 10.

Pentagon Paying For Transgender Soldier's - One News Page ...

The bank told the Defense Department that the attack came from a computer system that was randomly guessing cardholder account usernames and passwords.

The program hit Citigroup’s Pentagon online account application more than 1.3 million times. The hackers did successfully guess 318 Pentagon cardholders’ usernames and passwords, but they did not get past a secondary layer of account authentication.

“No data compromise occurred,” Citi told the Pentagon.

Citi provides financial services for the Government Travel Charge Card, or GTCC, which is used by Department of Defense personnel to pay for authorized expenses when on official travel.

CitiManager is the online portal used by the Defense Department to view statements online, make payments and confirm account balances.

The Pentagon’s Defense Travel Management Office oversees the processing of the GTCC.

*** Back in 2016, there was a hacker contest held by the Pentagon under Secretary Ash Carter….guess they missed that payment portal vulnerability possibility.

When the Pentagon announced the “Hack the Pentagon” event back in March, many wondered what kinds of vulnerabilities hackers would find when checking government websites for bugs. Now we know.

According to Defense Secretary Ash Carter, more than 250 participants out of the 1,400 submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be “legitimate, unique and eligible for a bounty,” he said. The bounties ranged per person from $100 to around $15,000 if someone submitted multiple bugs.

The pilot program, which ran from April 18 to May 12, cost about $150,000, with around half of that going to participants. The results were released on Friday, according to the Department of Defense’s website.

“Hack the Pentagon” was deemed a cost-effective way to scour five of the US defense departments’ websites (defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman) for security bugs. Instead of going to outside security firms, which would’ve cost upwards of $1 million, the government instead recruited amateur hackers to do it for much less, some who were only in high school.

In addition to reporting on the number of bugs, Carter also said that the government has worked with HackerOne, a bug bounty platform, to fix the vulnerabilities and that the department has “built stronger bridges to innovative citizens who want to make a difference to our defense mission.” Carter wants the “bug bounty” program to extend to other areas of the government and wants to ensure that hackers and researchers can report bugs without a dedicated program.

“When it comes to information and technology, the defense establishment usually relies on closed systems,” he said. “But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters.”

Many website already have bug bounty programs in place, but it was the first time the federal government had come up with such a program. It’s good experience for young hackers and security fiends who want to try and hack a government agency, although that’s a small amount of money for their time.

4 Days of Food Left…Panic? National Grid Hacked

Posted on by

If there is no transportation, there is no food, medicine or basic supplies….what country is ready to deal with this?

British cities would be uninhabitable within days and the country is only a few meals from anarchy if the National Grid was taken down in a cyber attack or solar storm, disaster and security experts have warned.

Modern life is so reliant on electricity that a prolonged blackout would quickly lead to a loss of water, fuel, banking, transport and communications that would leave the country “in the Stone Age”.

Russia plot to cut off UK with hackers taking down ... photo

The warning comes weeks after the Defence Secretary, Gavin Williamson, said Russia had been spying on the UK’s energy infrastructure and could cause “thousands and thousands and thousands” of deaths if it crippled the power supply.

***

The U.S. government has just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.

While there has recently been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.

In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly. The Nozomi Networks solution ships today with an analysis toolkit that identifies the presence of Dragonfly 2.0 IOCs.

This article is intended to help you gain perspective on this recent alert, provide additional guidance on what security measures to take, and describe how the Nozomi Networks solution can help.

Russian-Cyberattacks-on-Infrastructure

U.S. energy facilities, like this one, are one of the critical infrastructure targets of the Russian cyberattacks.

Multi-Stage Campaigns Provide Opportunities for Early Detection

The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.

In this case the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.

The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:

  • Altering trade publication websites
  • Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
  • Analyzing publicly available photos that inadvertently contained information about industrial systems

The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.

The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks.This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.

The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity. For the report, click here.

***

What Is Known

Forensic analysis shows that the threat actors sought information on network and organizational design and control system capabilities within the organization. In one instance, the report says, the threat actors downloaded a small photo from a publicly accessible human resource page, which, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background. The threat actors also compromised third-party suppliers to download source code for several intended targets’ websites. They also attempted to remotely access corporate web-based email and virtual private network (VPN) connections.

Once inside the intended target’s network, the threat actors used privileged credentials to access domain controllers via remote desktop protocols (RDP) and then used the batch scripts to enumerate hosts and users, as well as to capture screenshots of systems across the network.

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

Along with publishing an extensive list of indicators of compromise, the DHS and FBI recommended that network administrators review IP addresses, domain names, file hashes, network signatures, and a consolidated set of YARA rules for malware associated with the intrusion authored by the National Cybersecurity and Communications Integration Center. YARA is an open-source and multiplatform tool that provides a mechanism to exploit code similarities between malware samples within a family.